Rethinking Proof of Address in the Age of Digital Finance

The Onboarding Friction That Nobody Talks About

There is an uncomfortable truth at the heart of virtual asset regulation: the single biggest point of friction in customer onboarding for cryptocurrency exchanges is not identity verification, sanctions screening, or source-of-funds inquiries. It is the humble proof of address.

For decades, a utility bill or bank statement confirming a customer’s residential address has been the bedrock of know-your-customer processes. The logic was straightforward. If you know where someone lives, you can tie them to a jurisdiction, apply the right regulatory regime, and in the worst case, find them. In a world of branch-based banking and paper-driven commerce, this made perfect sense.

That world no longer exists. The customer base for digital asset platforms is global, mobile, and overwhelmingly digital-native. Many users have never set foot in a bank branch. A significant proportion are young adults who do not hold utility accounts in their own name. Others live in jurisdictions where formal address documentation is inconsistent or unavailable. And all of them are being asked to photograph a paper document and upload it to a platform that otherwise operates entirely in the digital domain.

The result is predictable: abandonment rates spike at the proof-of-address stage. Legitimate customers fall out of the onboarding funnel. And exchanges that impose mandatory documentary proof of address at registration find themselves at a measurable competitive disadvantage against platforms that have adopted more graduated approaches.

The challenge is not whether address verification matters — it plainly does. The challenge is whether the inherited methodology is still proportionate and fit for purpose in a sector that looks nothing like the financial services industry for which it was originally designed.

What the Major Platforms Are Actually Doing

A survey of the largest global cryptocurrency exchanges reveals a striking pattern. The dominant platforms, those with the broadest regulatory footprints and the deepest compliance infrastructure, do not require documentary proof of address at initial registration. Instead, they operate tiered or triggered models. A new user provides core identity information (name, date of birth, nationality, and a government-issued identity document), undergoes automated identity verification, and is granted access to basic trading functionality. Documentary proof of address is then triggered only when the customer seeks to increase withdrawal limits, access fiat currency on-ramps, or otherwise move beyond a defined risk threshold.

This is not regulatory arbitrage. These platforms hold licences across multiple jurisdictions, the UAE, the European Economic Area under MiCA, Japan, Australia, and others. Their tiered models have been presented to, and accepted by, regulators in each of those markets. The approach is grounded in a risk-based methodology: low-activity, crypto-to-crypto users present a different risk profile from high-volume traders moving funds between fiat and digital assets, and the verification burden should reflect that distinction.

The contrast with platforms that mandate proof of address for every customer, regardless of activity level or risk profile, is commercially significant. It also raises a legitimate regulatory question: if the world’s most scrutinised exchanges have concluded that mandatory upfront proof of address is neither required nor proportionate in most of their licensed jurisdictions, what does that tell us about the regulatory frameworks that still appear to demand it?

The Statutory Landscape: Broad Language, Conservative Practice

The answer, in many offshore financial centres, is that the statutory language is considerably more flexible than industry practice has assumed.

Bermuda: A Framework That Already Supports Electronic Verification

Take Bermuda as an example. The Proceeds of Crime (Anti-Money Laundering and Anti-Terrorist Financing) Regulations 2008 define customer due diligence as identifying the customer and verifying the customer’s identity “on the basis of documents, data or information obtained from a reliable and independent source.” The critical phrase is “documents, data or information”, the statute treats these as alternatives, not as a hierarchy with documentary evidence at the top.

More significantly, Regulation 8 of the POCR addresses the timing of verification. While the general rule requires verification before establishing a business relationship, Regulation 8(3) permits verification to be completed during or after the establishment of the relationship, provided three conditions are met: it is necessary not to interrupt the normal conduct of business; there is little risk of money laundering or terrorist financing; and any risks that arise are effectively managed. This is not an obscure exception. It is a clearly articulated provision that contemplates precisely the kind of tiered onboarding model that the major exchanges have adopted.

The accompanying Guidance Notes go further. Section 4.30 explicitly addresses electronic verification, confirming that regulated financial institutions may corroborate customer information against electronic databases. The standard is clear: one match on full name and current address from one source, and a second match on full name and either current address or date of birth from a different source. The Guidance also sets out detailed criteria for evaluating commercial electronic verification providers, including data breadth, multi-source matching, negative screening, and process transparency.

The regulatory infrastructure, in other words, already exists. A Bermuda-licensed exchange that wishes to defer documentary proof of address for low-risk, crypto-only customers and rely instead on electronic database verification during an interim period has a defensible statutory basis for doing so, provided it documents its risk assessment, imposes appropriate transaction limits, and completes full verification within a reasonable timeframe.

Seychelles: Broad Statute, Narrow Guidance

The Seychelles presents a more nuanced picture. The Anti-Money Laundering and Countering the Financing of Terrorism Act, 2020 which applies to all VASPs licensed under the Virtual Asset Service Providers Act, 2024, uses language that is, if anything, broader than Bermuda’s. Section 35(2)(a) requires reporting entities to identify customers “on the basis of documents, data or information obtained from a reliable and independent source or from any other source that the reporting entity has reasonable grounds to believe and can be relied upon.”

On a plain reading, this language does not prescribe documentary proof of address. It accommodates data-driven verification. The emphasis on “reasonable grounds to believe” and the inclusion of “any other source” suggest a legislature that intended flexibility rather than rigidity.

The difficulty lies in the regulatory overlay. The Central Bank of Seychelles has issued a directive pursuant to Section 35 that specifies acceptable sources for proof of address verification. That directive, addressed to banks, bureaux de change, payment service providers, and related entities identifies traditional documentary sources: utility bills, bank statements, government correspondence, and the like. While the directive pre-dates the VASP Act and does not expressly address licensed VASPs, there is no subsequent guidance from the Financial Services Authority that establishes an alternative framework for virtual asset service providers.

This creates an interpretive gap. The statute is broad. The only published guidance is narrow. And the regulator has not yet spoken to how the CDD framework applies specifically to the VASP sector. In that environment, a licensed exchange that unilaterally departs from the CBS directive, however well-reasoned its legal analysis, takes on regulatory risk that is difficult to quantify.

The gap between what the law permits and what regulators expect is where compliance risk lives. Closing that gap requires regulators to engage with the specific characteristics of the VASP sector, not simply extend banking-era guidance by default.

The FATF Framework: Supportive, But Not a Substitute

The Financial Action Task Force’s 2020 Guidance on Digital Identity is often cited as authority for the proposition that electronic and data-driven verification methods are permissible substitutes for traditional documentary evidence. The citation is accurate as far as it goes. Recommendation 10 is explicitly technology-neutral. The Guidance confirms that “documents, data or information” can be in digital form. And it states that non-face-to-face relationships, when supported by reliable digital identity systems with appropriate risk mitigation, may present standard or even lower risk.

What the FATF Guidance does not do, and cannot do is override local regulatory requirements. FATF sets international standards. It does not regulate. Where a national regulator has issued guidance that interprets “reliable and independent source” as meaning traditional documentary evidence, a regulated entity cannot simply point to FATF and say that a different approach is permissible. The FATF framework is persuasive authority for engaging regulators in a conversation about modernisation. It is not a licence to depart from published local guidance.

That said, the FATF Guidance is enormously useful as a tool for regulatory engagement. It provides a credible, internationally recognised framework that regulators can adopt without appearing to lower standards. It articulates the conditions under which electronic verification is appropriate. And it gives regulated entities a common language for discussing alternative approaches with their supervisory authorities.

IP Triangulation: Promise and Limits

One technical alternative that has attracted attention is IP address triangulation, the practice of cross-referencing a user’s IP address against multiple geolocation service providers to confirm their approximate physical location. The appeal is obvious: it is automated, non-intrusive, and generates a data point that can be captured and stored for audit purposes without requiring any action from the customer.

The limitations are equally obvious. IP geolocation is an approximation, not a verification. It identifies a device’s probable location, not a person’s residential address. It is trivially defeatable with a VPN. And it does not meet the multi-source, multi-attribute matching standard that most regulatory frameworks, including Bermuda’s two-source standard, require for electronic verification.

That does not make IP triangulation useless. As one component of a broader electronic verification suite, combined with identity document verification, database matching, and transaction monitoring, it can contribute to an overall risk assessment. It is particularly valuable as a screening mechanism for jurisdictional restrictions, identifying users who may be accessing the platform from prohibited locations. But it should not be confused with address verification, and it should not be presented to regulators as a standalone substitute for proof of address.

A Constructive Path Forward

The question is not whether the current approach to proof of address in the VASP sector is suboptimal it plainly is. The question is how to move from the current position to a more proportionate framework without creating regulatory risk or undermining AML integrity. There are, in our view, several concrete steps that both regulators and industry participants can take.

For regulators

• First, jurisdictions that have enacted VASP-specific legislation should issue corresponding VASP-specific CDD guidance. The Seychelles is a case in point: the VASP Act came into force in September 2024, but licensed VASPs are still operating under general AML guidance designed for traditional financial institutions. The FSA has an opportunity to set out a CDD framework that reflects the realities of non-face-to-face, digital-only customer relationships, including the role of electronic verification, the circumstances in which documentary proof of address is and is not required, and the conditions for risk-based deferral.
• Second, regulators should engage with the FATF Digital Identity guidance as a practical blueprint. The Guidance provides a ready-made framework for evaluating electronic verification systems against the “reliable and independent” standard. Adopting it, or adapting it to local conditions would give regulated entities clarity while maintaining supervisory expectations.
• Third, regulators should consider the competitive implications of maintaining requirements that the major global platforms have moved beyond. Offshore financial centres compete for VASP business. A jurisdiction that imposes CDD requirements materially more burdensome than those accepted in Dubai, the EEA, or Singapore will find that competition difficult.

For virtual asset service providers

• First, platforms should not wait for regulatory guidance to evolve. Where the statutory framework supports a tiered approach, as Bermuda’s clearly does, platforms should develop and document risk-based onboarding models that take advantage of the flexibility the legislation provides. The key is rigour: a properly documented risk assessment, clear transaction limits during the interim period, defined triggers for full verification, and robust monitoring throughout.
• Second, where the regulatory position is less certain, as in Seychelles, the constructive approach is formal engagement with the regulator. A well-prepared submission seeking clarification on CDD requirements for licensed VASPs serves multiple purposes. It demonstrates good faith. It gives the regulator an opportunity to articulate its expectations. And it creates a record that protects the platform regardless of the outcome.
• Third, platforms should invest in electronic verification infrastructure that meets the standards regulators are likely to require. That means multi-source database matching, not IP geolocation alone. It means systems that generate auditable records. And it means ongoing monitoring that uses the data generated by the verification process to support transaction surveillance and risk assessment.

The Bigger Picture

The proof-of-address question is, at bottom, a question about whether offshore regulatory frameworks are keeping pace with the sectors they regulate. The answer, in many jurisdictions, is not yet, but the building blocks are in place. The statutory language is typically broad enough to accommodate modern verification methods. The FATF framework provides international cover. And the competitive dynamics of the VASP sector create strong incentives for regulators to modernise.

What is needed is not a lowering of standards. It is a recalibration of methodology. The objective of address verification, tying a customer to a jurisdiction, supporting ongoing monitoring, enabling regulatory cooperation, can be achieved through electronic means as effectively as through a photographed utility bill. In many cases, more effectively: electronic verification generates structured, searchable data that a scanned document does not.

The exchanges that are getting this right are not cutting corners. They are investing heavily in compliance technology, maintaining extensive regulatory portfolios, and engaging constructively with supervisors. They have concluded, correctly in our view, that a risk-based, technology-enabled approach to customer verification is not only commercially sensible but also more aligned with the underlying objectives of AML regulation than the documentary-centric model it is beginning to replace.

The offshore jurisdictions that recognise this — and that move purposefully to update their guidance accordingly, will be the ones that attract and retain the next generation of regulated digital asset businesses. Those that do not will find that the market, as it tends to do, moves on.

This article is intended for general informational purposes and does not constitute legal advice. The views expressed are those of the author and do not necessarily represent the position of Appleby or its clients. Readers should seek independent legal counsel in respect of their specific circumstances.